authmeth-16: auth state & silent change to anonymous

[Hallvard B Furuseth <h.b.furuseth@usit.uio.no>]

Authmeth-16 now says:

4. Authorization State has been changed to include

>   It is noted that other events both internal and external to LDAP may
>   result in the authentication and authorization states being moved to
>   an anonymous one.  For instance, the establishment, change, or
>   closure of security services may result in a move to an anonymous
>   state, or the user's credential information (e.g., certificate) may
>   have expired.  The former is an example of an event internal to LDAP
>   whereas the latter is an example of an event external to LDAP.

As I wrote in message
<http://www.openldap.org/lists/ietf-ldapbis/200510/msg00012.html>,

"internal" events that revert the auth to anonymous can lead to major
breakage at the client side, e.g. for clients that treat noSuchObject
as information that the some value is not present in the directory.
At our site, e-mail to valid addresses would bounce since LDAP informed
the mail system that the address is not present.

I suppose the draft could allow for server admins to configure such
behaviour, and add warnings about it, but unless there is a strong call
for this functionality I don't see a good reason for blessing it.


If this change was done in response to the invalidated associations
discussions, this is not the right answer.  The possibilities that I am
aware of is for "unacceptable" requests could get some "didn't perform
the operation"-result code, or cause the the server to close the
connection.


OTOH, I also note that the draft has generalized the definition of
Authorization State to include other factors than the authorization ID.
I don't remember if that was discussed, but I haven't had time to follow
LDAPbis closely.  Anyway, I can see that the above change may be a
natural result of this generalization, but if so that implies that the
effect of this generalization may need to be reviewed more carefully.

-- 
Hallvard